Vast data warehouse raises HealthCare.gov privacy concerns (Update)

June 15, 2015 byRicardo Alonso-Zaldivar

In this Nov. 12, 2014, file photo, the HealthCare.gov website, where people can buy health insurance, is shown on a laptop screen in Portland, Ore. A government data warehouse stores information forever on millions of consumers seeking coverage under President Barack Obama's health care law. That's raising concerns about privacy at a time when major breaches have become common. (AP Photo/Don Ryan, File)

A government data warehouse that stores personal information on millions of HealthCare.gov customers is raising privacy concerns at a time when major breaches have become distressingly common.

A government privacy assessment dated Jan. 15 says data "is maintained indefinitely at this time," but the administration said Monday no final time frame has been decided, and the National Archives has recommended a 10-year retention period.

Known as MIDAS, the system is described on a federal website as the "perpetual central repository" for information collected under President Barack Obama's health care law.

The vast scope of the information—and the lack of a final plan for destroying old records nearly four years after the system was commissioned—have raised concerns about privacy and the government's judgment on technology.

"A basic privacy principle is that you don't retain data any longer than you have to," said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation.

"Even 10 years feels long to me," Tien said.

The Obama administration says MIDAS is essential to the smooth operation of the health care law's insurance markets and meets or exceeds federal security and privacy standards. "MIDAS is a critical piece of the marketplace ecosystem," said spokesman Aaron Albright.

But Sen. Orrin Hatch, R-Utah, called the administration's approach "careless."

"Despite (a) poor track record on protecting the private information of Americans, they continue to use systems without adequately assessing these critical components," said Hatch, an opponent of the health care law.

Electronic record-keeping systems are standard for businesses and government agencies. They are supposed to have limits on how long they store personal data.

In the new wired world, every few weeks brings another security breach. Personnel records of millions of federal employees, including background information for security clearances, were compromised in the latest attacks making headlines. Earlier this year, health insurer Anthem reported that information on 80 million customers was hacked.

Before HealthCare.gov went live in 2013, Obama administration officials assured lawmakers and the public that an individual's personal information would be used mainly to determine eligibility for coverage, and that the Affordable Care Act would have a limited impact on privacy.

Marilyn Tavenner, the Medicare administrator at the time, told a congressional hearing: "We especially focused on storing the minimum amount of personal data possible," she added.

MIDAS has been criticized in opinion articles by former Social Security commissioner Michael Astrue, a Republican who disapproves of Obama administration policies. Independent experts on technology and privacy echoed some of the concerns.

"I accept they have an operational reason, if not a legal obligation, to keep data for a reasonable period," said Astrue, commissioner from 2007-2013. But there's no justification for keeping data indefinitely, he added. "I don't think they should be allowed to do it."

Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, said consumers have no way of knowing that their data is being routed to MIDAS. It's not mentioned on the HealthCare.gov website.

"When people go to government services sites, they don't have a choice," De Mooy said. "That means the privacy and security bar should be very high."

Although the privacy policy does not mention MIDAS specifically, administration spokesman Albright says its general functions are described.

MIDAS stands for Multidimensional Insurance Data Analytics System. It's owned by the federal Centers for Medicare and Medicaid Services and operated by a major government technology contractor, CACI. The administration says the contract is currently worth more than $110 million from 2011-2017. That's an increase of more than 85 percent from $59 million when it was awarded.

Some details about MIDAS, gleaned from interviews and publicly available documents:

The nonpartisan Government Accountability Office said in a report last year that the system went live without a thorough examination of privacy risks. Without such an analysis "it will be difficult for (the administration) to demonstrate that it has assessed the potential for (personal information) to be displayed to users ... and taken steps to ensure that the privacy of that data is protected," the GAO said.

The privacy assessment was not completed until mid-January, well into the health law's second sign-up season.

—The privacy analysis is vague on key details.

In a section that asks how many individuals have personal data in the system, the administration's privacy assessment says "1 million or more."

It's probably a lot more. In addition to the 10 million currently enrolled, MIDAS also keeps information on former customers, on consumers who started applications but never finished them and on people determined eligible for Medicaid.

The administration says "1 million or more" is a standard category—but won't specify the number.

—MIDAS has had multiple, evolving missions.

Government reports describe MIDAS as a resource for producing analytical reports. But it also seems to have evolved into a linchpin for data transactions with health insurance companies and state Medicaid agencies.

MIDAS gathers information from many other systems that serve the health care law's insurance markets.

The MIDAS privacy assessment says policies about personal data have changed over time to allow additional uses and disclosures. The scope of data collected also has been widened.

Related Stories

The Obama administration has concluded it will not publicly disclose federal records that could shed light on the security of the government's signature health care website because doing so could "potentially" allow hackers ...

(AP)—Insurers aren't required to encrypt consumers' data under a 1990s federal law that remains the foundation for health care privacy in the Internet age—an omission that seems striking in light of the major cyberattack ...

(HealthDay)—Two new U.S. reports suggest it's possible that people who signed up for health insurance under the Affordable Care Act on the federal government's health care website—or state websites in California and Connecticut—may ...

Constituting over 78 % of the air we breathe, nitrogen is the element found the most often in its pure form on earth. The reason for the abundance of elemental nitrogen is the incredible stability and inertness of dinitrogen ...

Off the coast of Washington, columns of bubbles rise from the seafloor, as if evidence of a sleeping dragon lying below. But these bubbles are methane that is squeezed out of sediment and rises up through the water. The locations ...

The dramatic difference in gonad size between honey bee queens and their female workers in response to their distinct diets requires the switching on of a specific genetic program, according to a new study publishing March ...

An international team based in Ghent, Belgium (VIB-UGent Center for Plant Systems Biology) and Basel, Switzerland (University of Basel), found a link between a class of enzymes and immune signals that is rapidly triggered ...

New photonic tools for medical imaging can be used to understand the nonlinear behavior of laser light in human blood for theranostic applications. When light enters biological fluids it is quickly scattered, however, some ...

One of the ocean's little known carnivores has been allocated a new place in the evolutionary tree of life after scientists discovered its unmistakable resemblance with other sea-floor dwelling creatures.

0 comments

Please sign in to add a comment.
Registration is free, and takes less than a minute.
Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.